Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

guzzlehttp/psr7's fix for CVE-2022-24775 broke TableRestProxy::batchAsync #327

Closed
spaze opened this issue Mar 22, 2022 · 2 comments
Closed

guzzlehttp/psr7's fix for CVE-2022-24775 broke TableRestProxy::batchAsync #327

spaze opened this issue Mar 22, 2022 · 2 comments

Comments

@spaze
Copy link
Contributor

spaze commented Mar 22, 2022
edited

Which service(blob, file, queue, table) does this issue concern?

Table

Which version of the SDK was used?

1.1.5

What's the PHP/OS version?

PHP 8+/Ubuntu

What problem was encountered?

After upgrading guzzlehttp/psr7 to 2.1.1+, batch requests fail

Steps to reproduce the issue?

  1. Update guzzlehttp/psr7 to 2.1.1+, I went to 2.2.1 (latest)
  2. Send some batch requests
  3. InvalidArgumentException is thrown with
"multipart/mixed; 
 boundary="batch_56a456ec-a7c9-4faa-8101-35a8f58c3f62"" is not valid header value

This is because guzzlehttp/psr7 has fixed a security vulnerability (CVE-2022-24775) and the fix broke MimeReaderWriter::encodeMimeMultipart():

azure-storage-php/azure-storage-table/src/Table/Internal/MimeReaderWriter.php

Line 76 in 0539ffb

$batchHeaders['Content-Type'] = $mimeType . "; $eof boundary=\"$batchId\"";

  • encodeMimeMultipart() is used in
  • \MicrosoftAzure\Storage\Table\TableRestProxy::createBatchRequestBody which in turn is used in
  • \MicrosoftAzure\Storage\Table\TableRestProxy::batchAsync.

This is the guzzlehttp/psr7 fix: guzzle/psr7#485 (relevant lines) it has disallowed new lines in header values. Please note the regex was updated in guzzle/psr7#492 but that wasn't relevant to the reported issue.

Have you found a mitigation/solution?

Yes #328 but you know me already 😅
@spaze spaze mentioned this issue Mar 22, 2022
Merged
@ScottHelme
Copy link

@katmsft @XiaoningLiu this is a pretty big blocker, any chance it could be looked at?

@spaze
Copy link
Contributor Author

spaze commented Mar 22, 2022
edited

If anyone wants/needs to update their guzzlehttp/psr7 to fix the reported vulnerability, here's how you can do it immediately without waiting for a new Azure SDK release (which experience from previous releases tells me will not happen any time soon)

Get the patch from the PR with

wget https://github.com/Azure/azure-storage-php/pull/328.diff

Add this to your composer.json:

	"extra": {
		"patches-file": "patches/composer.patches.json"
	},

Add the composer.patches.json file:

{
	"patches": {
		"microsoft/azure-storage-table": {
			"No EOLs in Content-Type headers": "patches/azure-328-no-eol-in-headers.diff"
		}
	}
}

And finally, install and use cweagans/composer-patches composer plugin to patch the file locally. Run composer update microsoft/azure-storage-table after installing the plugin.

Once, and if, the maintainers will release the new version, you can simply remove the plugin and the composer.patches.json file (and PATCHES.txt from vendor/microsoft/azure-storage-table dir).

@spaze spaze mentioned this issue Mar 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spaze @ScottHelme